Apt supports a new format for describing its sources. This format is based on RFC822 and is know as Deb822. An example from the man page sources.list(5) is as follows:

Types: deb deb-src
URIs: http://example.com
Suites: stable testing
Sections: component1 component2
Description: short
 long long long
[option1]: [option1-value]

Types: deb
URIs: http://another.example.com
Suites: experimental
Sections: component1 component2
Enabled: no
Description: short
 long long long
[option1]: [option1-value]

Augeas should implement a new lens (perhaps sharing a common base with debctrl lens) that can parse this new format. Users, at their choice, are allowed to pick any of the old or new formats. This means that to be able to reliably modify sources list, programs must understand both the formats.

Motivation: Attackers may observe systems downloading a particular security update and realize that is vulnerable and attack it before the security update is applied. Jacob Applebaum's talk at Debconf discusses this. apt-transport-tor allows downloading packages anonymously via the Tor anonymity network. This makes this kind of attacks much more difficult. apt-transport-tor is available for Debian as a package. To enable it, one has to update all the URLs in sources.list to look like tor+http:// instead of http://. This can't be done reliably if Augeas can parse only one of the two known file formats.

Further notes on Deb822: The current version of Apt supports both formats in the same files. It interprets the file as one format or the other using a configuration setting. This is a bit of a problem for Augeas as it parses files based on path/name. The Apt developers have changed this behavior in Apt 1.1 which is available in Debian experimental. In Apt 1.1:

• /etc/apt/sources.list will always be old style format.
• /etc/apt/sources.list.d/*.list will always be old format.
• /etc/apt/sources.list.d/*.sources will always be new format files.